Slashdot Mirror

← Back to Stories (view on slashdot.org)

Security Researchers Threatened With US Cybercrime Laws

Posted by Soulskill on from the building-inspectors-threatened-with-arson-laws dept.

An anonymous reader writes "The Guardian reports that many of the security industry's top researchers are being threatened by lawyers and law enforcement over their efforts to track down vulnerabilities in internet infrastructure. 'HD Moore, creator of the ethical hacking tool Metasploit and chief research officer of security consultancy Rapid7, told the Guardian he had been warned by U.S. law enforcement last year over a scanning project called Critical.IO, which he started in 2012. The initiative sought to find widespread vulnerabilities using automated computer programs to uncover the weaknesses across the entire internet. ... Zach Lanier, senior security researcher at Duo Security, said many of his team had "run into possible CFAA issues before in the course of research over the last decade." Lanier said that after finding severe vulnerabilities in an unnamed "embedded device marketed towards children" and reporting them to the manufacturer, he received calls from lawyers threatening him with action."

4 of 156 comments (clear)

  1. NSA by BradMajors · · Score: 5, Insightful

    The NSA and other security services will not want security researchers to find and fix vulnerabilities the security services are exploiting.

  2. Re:This is what happens... by Opportunist · · Score: 5, Insightful

    So security researchers and/or security reporters in the UK cannot warn about a lot of unpatched webpages in the UK, but hackers all over the globe can hack and abuse them.

    Yeah, makes a damn lot of sense.

    --
    We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
  3. Re:OK, Whatever... by Jason+Levine · · Score: 5, Insightful

    Last time I checked lawyers were rather ineffective at patching vulnerabilities, doing root cause analysis, or improving your organization's security posture and/or practices.

    They're very effective. To paraphrase Futurama:

    Documentary Narrator: Fortunately, our most expensive lawyers sued the security researchers and shut them up. Of course, the security holes are still there, we just sue anyone who talks about them. Thus solving the problem once and for all.
    Suzie: But...
    Documentary Narrator: Once and for all!

    Sadly, too many companies don't see this as a joke, but as a valid security vulnerability response strategy.

    --
    My sci-fi novel, Ghost Thief, is now available from Amazon.com.
  4. Re: See... by arshat · · Score: 5, Insightful

    That's a really bad analogy.

    It is. It's more like the wet napkin has retained an imprint of the credit card and you have left the napkin behind on the bar. Someone then takes the napkin, hands it to you and says "you want to be careful with these wet napkins, look". You call the police because someone you don't know has your credit card details.